HP Security App Takes Life Cycle Approach

Seven months after ending a two-way lawsuit over patents with competitor
Cenzic, Hewlett-Packard (NYSE: HPQ) has unveiled the latest release of its
Application Security Center.

This new version ensures applications are tested for security throughout the
development process, from requirements all the way through production, instead
of testing after the application has already been created, cutting development
costs and enhancing security.

HP will offer the product in Software as a Service, or SaaS (define),
form.

"The life cycle approach seems obvious in retrospect; you can't add security
at the end," Billy Hoffman, manager of the HP Web security research group, told
InternetNews.com.

Traditionally, developers have "always viewed security vulnerabilities as
something the IT staff takes care of" because, previously, security problems
were at the infrastructure level, which IT maintained. Now that the
infrastructure has become relatively secure, hackers are directly attacking the
application, Hoffman said.

The situation has been exacerbated by the increasingly complex and rich
applications offered, "with the explosion in the past year or two of AJAX (define)
applications and Rich Internet
Applications (RIAs), and the trend among businesses to put more and more
functionality out there for the user," Erik Peterson, HP's senior director of
products for Application Security Center, told InternetNews.com.

Securing applications is not about user rights and control and identity
management; it's about finding unintended functionality in the applications,
Peterson said.

For example, an e-commerce site looks up database tables to check a
customer's credit card number and shipping address, and its unintended
functionality is that it can be tricked into reading and dumping all the
information in that table into a hacker's account.

Building security into an application from the start holds down development
costs -- it's "100 times more expensive to fix a software vulnerability just
before it's going out the door or after it's shipped than to fix it right from
the start," Hoffman said.

The foundation of HP Application Security Center is the HP Assessment
Management Platform. DevInspect (for developers), QAInspect (for QA teams) and
WebInspect ( for operations and security experts) sit on top of the
platform.

QAInspect includes security-defect management capabilities that let QA teams
filter, prioritize and assign defects based on the risk to the business;
WebInspect has been enhanced with faster runtimes and improved scanning accuracy
for the most frequently exploited vulnerabilities, including cross-site
scripting and structured query language, or SQL (define)
injections.

HP will offer Assessment Management Platform in SaaS mode.

The HP Web Security Research Group has added and updated checks in
Application Security Center for RIAs, including critical vulnerabilities in
Apache and MySpace plug-ins, and researched new security issues for Web 2.0
technologies, including AJAX, Adobe Flash and Microsoft Silverlight.

The new security checks are automatically updated for customers within 24
hours, whereas the industry standard is every quarter, according to Petersen. "A
lot of our customers see updates two to three times a day," he added.

Next page: The back story

Page 2 of 2

The back story

HP acquired SPI Dynamics last September, as the latter was locked in a legal
battle with Cenzic.

Back in September 2006, SPI Dynamics had sued Cenzic for allegedly violating
its method of locating vulnerabilities. In July 2007, Cenzic fired back with its
own lawsuit, five months after getting a patent for its own vulnerability search
method in February.

Last October, one month after HP bought SPI Dynamics, the lawsuits were
settled, with HP and Cenzic agreeing to cross-license each others'
technologies.

Developers heavily criticized Cenzic's suit. Many of them believed Cenzic's
patent had no merit and that its countersuit was essentially a move to delay
HP's acquisition of SPI Dynamics.

Still, HP's announcement did not impress Peter Christy, an analyst at
Internet Research Group -- especially the SaaS part of it.

"HP is interested in SaaS, and it's of high strategic importance to HP Labs,
and they were talking about offering printing as a service," he told
InternetNews.com.

"They have competitors -- Cenzic -- that already offer vulnerability testing
as a service rather than as software, so in this case, it's one specific HP
business playing catch-up with the competition."